• Aucun résultat trouvé

We describe a CP-SNARK for polynomial equations that relies on the one for batched polynomial evaluations given in the previous section. This CP-SNARK is based on the optimizations proposed by [GWC19].

Although the formal general treatment of our scheme has several technical details, its intuition is simple. At the high-level, we verify each polynomial equation by sampling a random point, exploiting the Schwartz-Zippel Lemma and reducing the problem to proving polynomial evaluation. For example, we pick random point u and then reduce proving a(X)b(X)c(X) +d(X) = 0to a(u)b(u)c(u) +d(u) = 0. Then, for each monomial of degree d at least 2 in the polynomial equation, we recursively prove evaluation for a monomial of degree d−1. For example, assume monomial a(u)b(u)c(u) above equals valuey, then we could reduce toyab(u)c(u) =y by providing ya and relative proof to the verifier. We could then do this again forbby providing a proof thatb(u) =yb,yb and then reducing toyaybc(u) =y.

At this point we obtained a linear equation and we can use the approach of Proveeval. In the example above we first started fromaand then moved tobleavingclast, but clearly there are different recursion strategies. Some of them will be more efficient than others. Below, we abstracted away this aspect through minimal setS defined as in the pseudocode.

We define a class of CP-SNARKs for subsets of the relation Req (see Section 3.1). In particular, let C be a checker, we implicitly parameterize the CP-SNARK with the checkerC. Consider the following relation:

Req,C=

(G(j),v(j))j∈[k],(pj)j∈[`]: ∀i∈[`], x∈Zq:C(i, vi(x)) = 1∧

Req((G,v),(pj)j∈[`]) = 1

We define a (1,C)-leaky zero-knowledge CP-SNARK CPeq for the commitment scheme CS and the relation Req,C. Let Hbe a random oracle from {0,1} to Zq.

KeyGeneq(ck): execute(ekopn,vkopn)←KeyGenopn(ck) and(ekeval,vkeval)←KeyGeneval(ck) defineek:=

(ekopn,ekeval) andvk:= (vkopn,vkeval), and returnsrs:= (ek,vk).

Proveeq(ek,(G,v),(cj)j∈[`],(pj)j∈[`]): Execute the following steps.

1. Let W := {j ∈ [`] : type(cj) = swh} be the set of indices of type-swh commitments. Compute πopn ←Proveopn(ekopn,(cj)j∈W,(pj)j∈W);

2. Letˆx:= ((G(j),v(j))j∈[k],(cj)j∈[`])and setρ← H(ˆxkπopn). For anyl∈[k]ifdegX(G(l)(X, v1(l)(X), . . . , v(l)` (X))) > 0, and, for j ∈ [`], let a(l)j ← v(l)j (ρ), b(l)j = pj(a(l)j ); otherwise, let a(l)j ← vj(l)(0) and b(l)j =pj(a(l)j ).

3. For any l ∈ [k] let {a1,l, . . . , a`,l} = {a(l)j }j∈[`] (repeated values are not counted), let P1(l), . . . , P`(l)

be a partition of the set[`]such thatPt(l) ={j:a(l)j =at,l};

4. LetS be the minimal subset of [`]such that (1) exists an index i such that S¯= [`]\S ⊆Pi, (2) the polynomialG(x, X1, . . . , X`) has degree zero or one in the variables{Xj}j∈S.

5. Let P

j∈S¯ljXj +l0 be equivalent to the polynomial G with the variables (Xj)j∈S assigned to the values(bj)j∈S and the variableX assigned to the valueρ.

6. Leta=ai, b=−l0, c=P

j∈S¯lj·cj,p =P

j∈S¯lj·pj.

Letˆx0= ((aj, bj, cj)j∈S,(a, b, c))), namely ˆx0 is a vector of|S|+ 1instances ofReval. Computeπeval←Proveeval(ekeval,ˆx0,((pj)j∈S, p, p`))

7. Output (πopn,{bj}j∈Seval).

Verifyeq(vk,ˆx,π): Parseπ= (πopn,{bj}j∈Seval). Execute the steps 2,3, 4 and 5 of the prover (but do not compute the values(bj)j∈[`], bur rather take(bj)j∈[S]from the proof). Also computeW as in step 1. Compute the commitment c as in step 6 of the prover, set a = ai and b = −l0. We observe thatl0 can be computed efficiently since it depends only on the linear terms of Ginvolving the values {bj}j∈S and the constant term ofG(ρ, . . .).

Return1 iff:

1. Verifyopn(vkopn,(cj)j∈[W]opn) = 1,

2. Set ˆx0 as in step 6 of the prover,Verifyeval(vkeval,ˆx0eval) = 1and, 3. ∀j∈[`] :C(j, vj(aj)) = 1.

Efficiency. We give efficiency ignoring the costs of CPopn. Generating a proof requires generating a batched evaluation proof for|S|+ 1committed polynomials (see previous section). Verification requires O(|G|) F-operations for the partial evaluation of G and to recover the lj coefficients, plus the cost of one batched evaluation verification (2 pairings).

Security. In the following theorem we state the security ofCPeq.

Theorem 7.7. Let CPopn and CPeval be CP-SNARKs over commitment scheme CS for relations Ropn andRevalrespectively. ThenCPeq is a CP-SNARK overCSthat is knowledge-sound (with partial opening of type-rel commitments), and swh-typed (1,C)-leaky zero-knowledge. Moreover, if CPopn and CPeval

have commitment-only SRSs then CPeval has a commitment-only SRS.

Before proving the theorem we make the following observation.

Remark 13(On more fine-grained leakage). With a closer look, we observe that this scheme is actually (b,C)-leaky zero-knowledge, for a b such that bi = 1 if i ∈ S and bi = 0 otherwise. This is because evaluations of polynomials are revealed only if the index j is included in S.

Proof. Knowledge Soundness follows by the extractability ofCPopn, the Schwartz-Zippel Lemma and the knowledge soundness of CPeval. In particular, it is enough to extract only from type-swhcommitments as we only have to prove knowledge soundness with partial openings of type-relcommitments.

More in detail, for any benign relation sampler RGCom and auxiliary input samplerZ consider the adversary A that outputs an instanceˆx= (G,(vj)j∈[`],(cj)j∈[`]) and a proofπ, along with polynomials pj such thattype(cj) =rel. By the knowledge soundness ofCPopn we can extract polynomials (pj)j∈[`].

Moreover, since ρ = H(ˆxkπopn) the value ρ is independent from the polynomials G,v and (pj)j∈[`]

and uniformly random overZq. Thus applying the Schwartz-Zippel lemma, if the polynomialG0(X) :=

G(X,(pj(vj(X)))j∈[`])evaluates to0onρthenG0(X)≡0. We conclude noticing that, by the knowledge soundness of CPevalit holds that ∀j∈S :pj(aj) =bj andP

j∈S¯ljpj(a) =b thus G0(ρ) = 0.

We show thatCPeqis(1,C)-leaky zero-knowledge. Letˆxa valid instance ofRComeq,C. Consider the sim-ulator Sleak(ˆx)that computes aj ←vj(H(ˆxkπopn)) forj ∈[`]and outputs the list L={(j, aj)}j∈[`]. By definition ofˆxand by inspection ofL, the listLis(1,C)-bounded. The simulatorSprv(tdk,ˆx, leak) sim-ulates the proofπopn, then parsesleakas(bj)j∈[`] wherebj =pj(aj), lettingSprv0 be simulator ofCPeval andˆx0 = ((aj, bj, cj)j∈S,(a, b, c))), computesπ0 ← Sprv0(tdk,ˆx0) and outputs(πopn,{bj}j∈Spoly).

The indistinguishability easily follows by the zero-knowledge of the proofs ofCPevaland ofCPopn. 7.7 A CP-SNARK for CS2 for quadratic polynomial equations

Let us consider the following relation in whichG is an`-variate polynomial of degree 2:

Rqeq(G,(pj)j∈[`]) :=G(p1(X), . . . , p`(X))≡? 0

Rqeq is a simplification of Req in which the degree of G is restricted to 2, each vj(X) = X, and we removed the first variableX.

Here we show a simple CP-SNARK for the commitment scheme CS2 and the above relation Rqeq. This scheme is novel and to the best of our knowledge it did not appear in previous work. The techniques are inspired by the linear interactive proof compiler of [BCI+13].

The basic intuition is rather simple, whenGsatisfies the restriction above it is possible to homomor-phically compute G over (p1(s), . . . , p`(s)) in the target group using pairings and the linear property of the commitments. Like for the previous scheme, our approach is based on Schwartz-Zippel. Only, this time we exploit the random point shidden in the SRS of the commitment scheme for polynomial evaluation. Thus all the verifier needs to do is verify a pairing product for each of the monomials of the type a(X)b(X). For this to be possible, it needs to have each of the two polynomials a and b in two distinct groups. This is the case if they are committed through different types, i.e., one as typereland the other as typeswh. Otherwise, if they are both committed in the same group, we let the prover send one of the two polynomials committed in the “symmetric” group. Like in CPeq we abstract the most efficient approach to do this through a minimal set, in this case setJ as defined in the pseudocode.

KeyGenqeq(ck): execute(ekopn,vkopn)←KeyGenopn(ck) and return srs:= (ekopn,vkopn).

Proveqeq(ek, G,(cj)j∈[`],(pj)j∈[`]):

first, let W :={j ∈[`] :type(cj) =swh}be the set of indices of type-swhcommitments, and compute πopn ←Proveopn(ekopn,(cj)j∈W,(pj)j∈W). Then proceed as follows:

• Consider the undirected graph where V = [`] and there is an edge {i, j} if type(ci) =type(cj) and the term (Xi·Xj) is non zero inG.

• LetJ be the min-cut of such graph, namely the minimal set of nodes that cover all the edges of G.

• For any j∈ J :

if type(cj) =swh, computec0j = [pj(s)]2; if type(cj) =rel, computec0j = [pj(s)]1;

• LetC0={c0j}j∈J and outputπ:= (πopn,C0).

Output π:= (πopn,C0).

Verifyqeq(vk,ˆx,π): parse C0 ={c0j}j. Reconstruct the setJ as in the prover algorithm, and return 1 if and only if all the following checks pass:

1. Verifyopn(vkopn,(cj)j∈[W]opn) = 1, forW computed as in step 1 of the prover;

2. for allj∈ J, checke(cj,[1]2) =e([1]1, c0j) (iftype(cj) =swh) ore(c0j,[1]2) =e([1]1, cj)(iftype(cj) = rel);

3. [ ˆG((c0j)j∈[`],(c0j)j∈J)]T = [1]? T, where Gˆ is a modified version of G where the computation of a quadratic term involving onlycj is performed ase(cj, c0j)(or e(c0j, cj)).

Efficiency. Generating a proof requires |J | operations ofG1 or G2 to compute eachc0j. Verification requires2|J | pairings in step 2 and t+ 1 pairings in step 3, where tis the number of quadratic terms inG. Here we ignored the cost ofCPopn as well as that to compute the min-cut J; in our applications this is trivial and can be given as a parameter.

Security. In the following theorem we state the security ofCPqeq.

Theorem 7.8. IfCPopn is a CP-SNARK forRopn overCS2 thenCPqeq is a complete, knowledge-sound (with partial opening of type-rel commitments) zero-knowledge CP-SNARK for Rqeq over CS2 under the d-DLOG assumption for GenG. Moreover, if CPopn has a commitment-only SRS then CPqeq has a commitment-only SRS.

Proof Sketch. We define the extractor ofCPqeqto be the same as theCPopnextractor. By the knowledge soundness of CPopn, such extractor returns a tuple of polynomials(pj)j∈[`] such that for everyj∈[`]it holds cj = [pj(s)]gj for the appropriate group gj.

We want to bound the probability that for the extracted polynomials it holdsG(p1(X), . . . , p`(X))6≡

0 (while the proof accepts). Let us define p(X) = G(p1(X), . . . , p`(X)). Since the proof accepts we have p(s) = G(p1(s), . . . , p`(s)) = 0. Then we can factor p(X) to recover the roots, and thus break d-DLOG assumption.

7.8 CP-SNARKs for degree of committed polynomials

In this section we show two CP-SNARKs, CP(?)deg and CP(2)deg, for proving a bound on the degree of committed polynomials, namely they work for the universal relation Rdeg in which every Rdeg ∈ Rdeg consists of a vector(dj)j∈[`]of degrees, such that every dj ∈[d], and the relation is satisfied if and only if ∀j:deg(pj)≤dj.

The basic idea of the schemes is the following. To prove thatdeg(p)≤d one commits to the shifted polynomialp(X) =Xd−dp(X)and then proves that the polynomial equationXd−d·p(X)−p(X) = 0 using a CP-SNARK for polynomial equations. This idea is extended in order to batch together these proofs for several polynomials.

The two schemes CP(?)deg and CP(2)deg follow this approach with the only difference that CP(2)deg makes use of the optimized schemeCPqeq for quadratic equations. Indeed,Xd−d·p(X)−p(X) = 0 can be seen as a quadratic equation in which the polynomial Xd−d can be committed in G2 by the Derive algorithm.

Therefore we have that CP(?)deg can work with both commitment schemesCS1 and CS2, while CP(2)deg works withCS2 only. Both CP-SNARKs are swh`-restricted complete.

Finally, we remark that in the CP-SNARKs below we assume that the degree bounds are always strictly less than the maximal degreedsupported by the commitment keyck. In fact, for suchda proof for deg(p)≤dis for free.

7.8.1 Scheme CP(?)deg

We define the CP-SNARK CP(?)deg= (KeyGendeg,Provedeg,Verifydeg) as follows.

KeyGendeg(ck): execute (ekopn,vkopn) ← KeyGenopn(ck), execute (ekeq,vkeq) ← KeyGeneq(ck), define ek:= (ck,ekopn,ekeq) and vk:= (vkopn,vkeq), and returnsrs:= (ek,vk).

Provedeg(ek,(dj)j∈[`],(cj)j∈[`],(pj)j∈[`]):

1. Computeπopn ←Proveopn(srs,(cj)j∈[`],(pj)j∈[`]);

2. Let ρ1, . . . , ρ` ← H((dj)j∈[`],(cj)j∈[`]opn), let {d1, . . . , d`} = {dj}j∈[`] (repeated values are not counted), and letP1, . . . , P` be a partition of the set [`]such thatPk={j:dj =dk};

3. For all i∈[`]letc0i ←[p0(s)]1:= [P

j∈Piρj·pj(s)]1 andci ←[pi(s)]1:= [sd−di ·P

j∈Piρj·pj(s)]1; 4. Computeπopn ←Proveopn(srs,(cj)j∈[`],(pj)j∈[`]).

5. For all i ∈ [`], define Gi(X, Xi0, Xi) = Xd−di ·Xi0 −Xi, v1(i)(X) = v2(i)(X) = X, and compute πeq←Proveeq(ekeq,(Gi,v(i))i∈[`],(c0i, ci)i∈[`],(p0i, pi)i∈[`])

6. Return(πopn, c1, . . . , c`opneq).

Verifydeg(vk,(dj)j∈[`],(cj)j∈[`],π): Parse π = (πopn, c1, . . . , c`opneq), and compute ρ1, . . . , ρ` and Gi,v(i) as the prover does. Return 1 iff :

1. Verifyopn(vkopn,(cj)j∈[`]opn) = 1and, 2. Verifyopn(vkopn,(cj)j∈[`]opn) = 1and,

3. Verifyeq(vkeq,(Gi,v(i))i∈[`],(c0i, ci)i∈[`]eq) = 1.

Efficiency. Generating a proof requires `·d G1-exponentiations and O(`·d) F-operations, where d = maxj∈[`]{deg(pj)}, the cost of generating two CPopn proofs and one CPeq proof. Verification requires verifying two CPopn proofs and one CPeq proof.

Remark 14 (Optimization). When CP(?)deg is used in a larger protocol that uses other invocations of CPeq, we observe that these proofs can batched together (which in turn implies for example the use of the same random point, and of the same CPeval proof ).

Security. In the following theorem we state the security ofCP(?)deg.

Theorem 7.9. IfCPopn is a CP-SNARK forRopn andCS1 (resp. CS2), andCPeq is a CP-SNARK for Req, then CP(?)deg is a knowledge-sound and zero-knowledge CP-SNARK for CS1 (resp. CS2).

Proof. Let (pj)j∈[`] and (pj)j∈[`] be the polynomials extracted from πopn and πopn by the knowledge soundness ofCPopn. We notice thatρ1, . . . , ρ` are uniformly random and independent of(pj)j∈[`], since we can extract the polynomials before answering the random oracle query((cj)j∈[`]opn).

Thus with overwhelming probability, for every ithe polynomialp0i(X) =P

j∈Piρjpj(X) has degree equal tomaxj∈Pideg(pj). Suppose exists i such thatpi has degree bigger than di. Then for the same indexiwe have thatXd−dip0i(X)−pi(X)6= 0. However, if this is the case, then we can build a reduction against the soundness of CPeq.

Zero-knowledge is straightforward: the commitments c1, . . . , c` are deterministic functions of the random oracleH, the values (cj)j∈[`] and the trapdoor s, while the remaining proofs πopn and πeq can be generated by using the simulators ofCPopn and CPeq respectively.

7.8.2 Scheme CP(2)deg.

We define the CP-SNARK CP(2)deg= (KeyGendeg,Derivedeg,Provedeg,Verifydeg) as follows.

KeyGendeg(ck): execute (ekopn,vkopn) ← KeyGenopn(ck), execute (ekqeq,vkqeq) ← KeyGenqeq(ck), parse ck as ([sj]1,[sj]2)j∈[0,d] defineek := (ck,ekopn,ekqeq) and vk := (([sj]2)j∈[0,d],vkopn,vkqeq), and return srs:= (ek,vk).

Derivedeg((dj)j∈[`]) generates a verification key for the vector of degrees(dj)j∈[`]as follows. Let{dj}j∈[`]

:={d1, . . . , d`}(repeated values are not counted), and set vkd:= ([sd−dj]2)i∈[`]. Provedeg(ek,(cj)j∈[`],(pj)j∈[`]):

1. Computeπopn ←Proveopn(srs,(cj)j∈[`],(pj)j∈[`]);

2. Let ρ1, . . . , ρ` ← H((dj)j∈[`],(cj)j∈[`]opn), let {d1, . . . , d`} = {dj}j∈[`] (repeated values are not counted), and letP1, . . . , P` be a partition of the set [`]such thatPk={j:aj =ak};

3. For all i∈[`]letc0i ←[p0(s)]1:= [P

j∈Piρj·pj(s)]1 andci ←[p(s)]1:= [sd−di ·P

j∈Piρj·pj(s)]1; 4. Computeπopn ←Proveopn(srs,(cj)j∈[`],(pj)j∈[`]).

5. For all i∈[`], defineGi( ˆXi, Xi0, Xi) = ˆXi·Xi0−Xi, and compute

πqeq←Proveqeq(ekeq,(Gi,v(i))i∈[`],([sd−di]2, c0i, ci)i∈[`],(Xd−di, p0i, pi)i∈[`])

6. Return(πopn, c1, . . . , c`opnqeq).

Verifydeg(vkd,(cj)j∈[`],π): Parseπ= (πopn, c1, . . . , c`opneq), and compute ρ1, . . . , ρ` and Gi,v(i) as the prover does. Return 1 iff :

1. Verifyopn(vkopn,(cj)j∈[`]opn) = 1and, 2. Verifyopn(vkopn,(cj)j∈[`]opn) = 1and,

3. Verifyqeq(vkeq,(Gi)i∈[`],([sd−di]2, c0i, ci)i∈[`]eq) = 1.

The security proof of CP(2)deg works essentially the same as that of CP(?)deg and is therefore omitted.

Theorem 7.10. If CPopn is a CP-SNARK for Ropn over CS2, and CPeq is a CP-SNARK forReq over CS2, then CP(2)deg is a knowledge-sound and zero-knowledge CP-SNARK forRdeg over CS2.

Efficiency. From the shape of all the quadratic polynomials Gi and the construction of CPqeq in Section 7.7, we observe that the proofπqeqis empty and it can be verified by checking, for everyi∈[`], e(P

j∈Piρjcj,[sd−di]2) = e(πi,[1]2). The cost of generating the rest of the proof requires generating two CPopn proofs, `·d G1-exponentiations and O(`·d) F-operations, whered= maxj∈[`]{deg(pj)}.

Verification additionally requires verification of twoCPopn proofs.

7.9 A general-purpose CP-SNARK for Rphp

Given the CP-SNARKs presented in the previous section, it is possible to construct CP-SNARKs for the commitment schemesCS1,CS2 and foranyPHP verifier checks, i.e., for the relationRphp discussed in Section 3.1. Such a CP-SNARKCPphpcan be obtained with three main building block CP-SNARKs:

one for Ropn (see Section 7.3), one for proving a bound on the degree of committed polynomials, and one for polynomial equations.

8 Our Compiler for Universal Commit-and-Prove zkSNARKs

In this section we show how to compile PHPs into CP-SNARKs. We present the compiler in Section 8.1.

It can be instantiated with the same building blocks presented in the previous section, plus additional ones that we present in Section 8.2,

8.1 Compiling to Commit-and-Prove Universal Interactive Arguments

We show how to adapt the compiler of Section 6.2 to produce acommit-and-prove succinct interactive argument in the SRS model.

Let PHP be a PHP protocol for a universal relation R such that for any triple (R,x,w) ∈ R, the witness splits into an`+ 1-tuplew:= ((uj)j∈[`], ω)∈ D1× · · · × D`× Dω.

We show how to compile PHP to acommit-and-prove UIA for R in which prover and verifier take as inputs commitments c1, . . . , c` to u1, . . . ,u` respectively. More in detail, UIAis a universal commit-and-prove argument forRand a type-based commitment schemeCS such that the commitments taken as input are of type lnk and satisfy full-fledged hiding. The reason to require these commitments to be hiding (instead of our weaker somewhat-hiding notion) is that these are supposed to be “regular”

commitments that may be generated independently of this proof system and that, for a general applica-tion scenario, should hide messages even if they are re-used an unbounded number of times for different proofs.19 We summarize the requirements on CS in the following definition.

Definition 8.1 (CP-Compiling Commitment Scheme). Let R be a universal relation such that for any (R,x,w) ∈ R, w := ((uj)j∈[`], ω) ∈ D1 ×. . .D`× Dω. We say CS = (Setup,Commit,VerCom) is a CP-compiling commitment scheme if it is a type-based commitment scheme for a class of types T ={rel,swh,lnk}, such that:

19Note that this for example rules out the use of polynomial commitments with “bounded-use randomizers” such as the one in [KZG10].

• commitments of type rel and swh are for messages that are polynomials F<d[X] for a given bound d∈N;

• commitments of type lnkare for messages in D such that for all i∈[`], Di ⊆ D;

• it is T-binding;

• it is swh-somewhat-hiding and lnk-hiding.

Additional building blocks. Besides the requirements of Section 6.2, we additionally require from theCS and fromPHP the following properties:

1. The PHP has a straight-line extractor (see Definition 3.3). Specifically, there exists an efficient ex-tractorWitExtract such thatWitExtract((pj)j∈[n]) =w.

2. CS is equipped with a zero-knowledge CP-SNARK CPlink = (KeyGenlink,Provelink,VerProoflink) that can “link” a tuple oflnk-typed commitments (opening to(uj)j∈[`]) with a tuple of n swh-typed com-mitments. The linking relation should also enforce that the latter commitments open to polynomials that somehow contain a witness for a universal relation. Specifically, CPlink is a ({lnk}`×(swh)n )-restricted complete ZK CP-SNARK for the universal relation Rlink parametrized by the algorithm WitExtract and by a PT decoding algorithmDecode:

Rlink((uj)j∈[`],(pj)j∈[n], ω) :=WitExtract((pj)j∈[n])= (Decode((u? j)j∈[`]), ω)

We additionally require theDecodealgorithm for a rather technical reason. Namely, the commitment scheme CScould encode the witness blocksui in different way, the decoding algorithm casts back to strings the encoding used by the commitment scheme CS.

The commit-and-prove compiler. LetUIA= (KeyGen,Derive,P,V) be the interactive protocol for Rfrom the last section. We show how we can make it commit-and-prove with some simple modifications.

In what follows, to distinguish the commitments (and the associated openings) taken as input by the protocol, from the commitments generated during the interaction, we denote the former ones with a hat.

Consider the interactive protocol that is the same asUIA but with the following modifications:

• The KeyGen algorithm does not sample a commitment key from CS.Setup but instead takes a com-mitment key ck of theCS commitment scheme.

• The prover on input ek, ˆx = (x,(ˆcj)j∈[`]) and wˆ = ((uj)j∈[`],(ˆoj)j∈[`], ω), executes the same as P(vk,x,((uj)j∈[`], ω)). Let (cj)j∈[k],(pj)j∈[k],(oj)j∈[k] be the k-tuples of commitments, polynomials and openings corresponding to the indices of the witness-carrying polynomials.

• At the last round the prover computes

πlink←Provelink(eklink,((ˆcj)j∈[`],(cj)j∈[k]),((uj)j∈[`],(pj)j∈[k]),((ˆoj)j∈[`],(oj)j∈[k]), ω)

• At the last round the verifier additionally checksblink←Verifylink(vklink,((ˆcj)j∈[`],(cj)j∈[n]),πlink), and output 1 if all the CP-SNARK proofs verify.

Theorem 8.1. Let PHP = (r,n,m,d,ne,RE,P,V) be a non-adaptive public-coin PHP overF and R, let CS be a compiling commitment scheme as in Definition 8.1 equipped with CP-SNARKs CPopn for Ropn, CPphp for a relation Rphp, andCPlink forRlink. Then we have:

• If PHP has witness-carrying polynomials, then the scheme UIA defined above is a universal commit and prove interactive argument in the SRS model forR0 such that:

(R,x,(uj)j∈[`], ω)∈ R0 ⇐⇒ (R,x,Decode((uj)j∈[`]), ω)∈ R.

• If, for a checker C, PHP (resp. CPphp) is (b+1,C)-bounded honest-verifier zero knowledge (resp.

trapdoor-commit (b,C)-leaky zero-knowledge), and both CPopn and CPlink are trapdoor-commitment zero-knowledge, then UIAis trapdoor-commitment honest-verifier zero-knowledge.

Note that the analogous of Remark 7 holds for this theorem as well.

While a proof of Theorem 8.1 is in Appendix C, we provide an intuition for the case `= 1. To prove knowledge soundness we should be able to extract(ˆo,u, ω)—valid CP-witnesses for the CP-version ofR—

fromc,ˆ x. Let us assume that the verifier accepts. We can run theCPlink extractor and obtainu,o, ωˆ as well vas ector of polynomialspwith respective openings for thecj-s. By knowledge soundness ofCPlink, u, ω as defined above extracted from the polynomials in p. In turn, we can claim these polynomials encode valid witnesses for relation R because, if they didn’t, we could obtain “valid” polynomials p0 by running the extractor of CPphp. These would also be valid openings to commitments c. If the polynomials in p0 were distinct from the polynomials in p then we would be able to break binding;

therefore, polynomials inpandp0 must be identical and encode witnesses forR. In order to prove zero-knowledge we extend the simulator from Theorem 6.1 by appending to its output that of the simulator of CPlink. a zero-knowledge CP-SNARK. We run the latter by feeding it the appropriate commitments cj-s corresponding to thek witness-carrying polynomials.

8.2 Pairing-Based Instantiations of our Building Blocks 8.2.1 Commitment Scheme

We describe the polynomial commitment schemeCS which supports types lnk,swh,rel. The scheme is an extension of CSg for g ∈ {1,2}. The algorithms (Setup,Commit,VerCom) of CSg are defined as follows:

Setup(1λ, d): run ck0←Setupg(1λ, d), sample randomα←$Fand outputck=ck0,[α, αs, αs2]1.

Commit(ck,type, p)→(c, o): if type6=lnkoutput the same asCommitg, else sample o←$Fand output [p(s) +α·o]1.

VerCom(ck,type, c, p, o): if type6=lnkoutput the same asVerComg, else check if c=? p([s]1) +o[α]1. Remark 15. Notice that the values[αs, αs2]1 are not needed for hiding, however they are useful for the CP-SNARK for polynomial evaluation that we present next.

VerCom(ck,type, c, p, o): if type6=lnkoutput the same asVerComg, else check if c=? p([s]1) +o[α]1. Remark 15. Notice that the values[αs, αs2]1 are not needed for hiding, however they are useful for the CP-SNARK for polynomial evaluation that we present next.